Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

HijackThis automated log analyzer! Submit a log and you will receive ALL the information we have in our DB's on everything on your system INSTANTLY!

sagate.exe


Click here to Run a Free Scan for sagate.exe Related Errors

sagate.exe
What is it?
sagate.exe is a file associated with the W32.gaobot.BOW worm

What does it do?
W32.Gaobot.BOW is a network-aware worm that has backdoor capabilities and can be controlled through IRC channels

When W32.Gaobot.BOW is executed, it performs the following actions:

Copies itself as %System%sagate.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

Adds the value:

"Sagate Security Firewall" = "sagate.exe"

to the registry keys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices

so that the W32.Gaobot.BOW runs when you start Windows.

Connects the backdoor component to the remote IRC server lud.b0b.org on TCP port 7000 and awaits commands from a remote attacker.

The backdoor allows the attacker to perform some of the following actions on the compromised system:
  • Download and execute files
  • Scan the network
  • List, stop, and start processes
  • Control the file system (Delete, create, and list files)
  • Launch Denial of Service (DoS) attacks
  • Perform port redirection
  • Start a socks proxy
  • Start an FTP server
  • Retrieve Windows product keys
Opens three randomly selected TCP ports.

Overwrites bystem%driversetchosts with the following lines:
  • 127.0.0.1 www.trendmicro.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 ca.com
  • 127.0.0.1 www.ca.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 avp.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 www.viruslist.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 www.symantec.com
Attempts to copy itself to the following shares on randomly generated IP addresses:
  • admin$
  • print$
  • C$
  • D$
  • E$
using it's own list of user names and passwords

Sends HTTP GET messages to the following hosts (to measure connection speed):
  • yahoo.co.jp
  • www.nifty.com
  • www.d1asia.com
  • www.st.lib.keio.ac.jp
  • www.lib.nthu.edu.tw
  • www.above.net
  • www.level3.com
  • nitro.ucsc.edu
  • www.burst.net
  • www.cogentco.com
  • www.rit.edu
  • www.nocster.com
  • www.verio.com
  • www.stanford.edu
  • www.xo.net
  • de.yahoo.com
  • www.belwue.de
  • www.switch.ch
  • www.1und1.de
  • verio.fr
  • www.utwente.nl
  • www.schlund.net
Attempts to steal CD keys for a number of computer games

More info and Removal
@symantec

Fix sagate.exe Errors: Free Scan

Recommended: Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings




sagate.exe is Spyware!

Startup DB Entries:
[Sagate Security Firewall]"Added by the GAOBOT.BOW WORM!" b

Service DB Entries:
Nothing Found

Disclaimer

Every attempt has been made to ensure the information about sagate.exe is accurate but alot of malware applications try to pose as valid applications. If it is something other than what was posted above please leave some feedback in the forum.
Printer Friendly

User Comments
Security Risks - Adware Spyware
sndconfg16.exe | salm.exe | isass.exe | se.dll | kazza.exe | backweb-7288971.exe | bridge.dll | wtoolsa.exe | tkbellexe.exe | dl.exe | newdot~1.dll | wupdt.exe | mwsoemon.exe | saie.exe | webrebates0.exe | bxxs5.dll | funny.exe | 180ax.exe | randreco.exe | mssearchnet.exe | service.exe | webrebates1.exe | saap.exe | sais.exe | wsup.exe | backweb-137903.exe | sed.exe | alcmtr.exe | wo.exe | ffisearch.exe | optimize.exe | iadhide4.dll | backweb-8876480.exe | cdaengine0400.dll | istsvc.exe | newdotnet6_38.dll | Fvprotect.exe | Winupdate.exe | java.exe | cmesys.exe |